Closed Bug 1141052 Opened 9 years ago Closed 9 years ago

SelfSupportBackend.jsm should only allow https URLs in browser.selfsupport.url

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 40
Tracking Flags:
Tracking Status
firefox40 --- fixed

People

(Reporter: Gavin, Assigned: Dexter)

References

Details

Attachments

(3 files, 3 obsolete files)

Changes to addon-sdk prefs v2
3.05 KB, patch
Dexter
: review+
Details | Diff | Splinter Review
bug141052.patch
5.71 KB, patch
Dexter
: review+
Details | Diff | Splinter Review
changes to talos preference and font
2.12 KB, patch
Dexter
: review+
Details | Diff | Splinter Review 
It's generally not safe to allow using an http:// page for self-support, so we should add code to only allow loading https URIs.

This will also require changing the dummy URLs used in Talos (similar bug 1138823) and in addon-sdk/source/python-lib/cuddlefish/prefs.py and addon-sdk/source/test/preferences/no-connections.json.
Thanks for reporting this. It's on my radar and I'll be working on it asap :)
Attached patch bug141052.patch (obsolete) — Splinter Review 
This patch makes SelfSupport backend report an error if the self support URL is not using HTTPS. It also changes tests accordingly.
Attachment #8575221 - Flags: review?(gfritzsche)
Comment on attachment 8575221 [details] [diff] [review]
bug141052.patch

Review of attachment 8575221 [details] [diff] [review]:
-----------------------------------------------------------------

What about convenient local testing or developing without https?
For other components we allow overrides with a hidden pref (with no default value).
Attachment #8575221 - Flags: review?(gfritzsche) → review+
Prefs can be abuse, easy enough to modify the relevant code locally for dev testing.
Attached patch Changes to Talos (obsolete) — Splinter Review 
Assignee: nobody → alessio.placitelli
Status: NEW → ASSIGNED

        Attachment #8579312 -
        Flags: review?(jmaher)

    
    

    
  
Comment on attachment 8579312 [details] [diff] [review]
Changes to Talos

Review of attachment 8579312 [details] [diff] [review]:
-----------------------------------------------------------------

you are aware this will resolve to a 404, but http vs https will still be valid :)

        Attachment #8579312 -
        Flags: review?(jmaher) → review+

    
    

    
  
(In reply to Joel Maher (:jmaher) from comment #6)
> Comment on attachment 8579312 [details] [diff] [review]
> Changes to Talos
> 
> Review of attachment 8579312 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> you are aware this will resolve to a 404, but http vs https will still be
> valid :)

Yes, but thanks for pointing that out ;-)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Changes to addon-sdk prefs (obsolete)
        — Splinter Review
      

    


  
This patch changes addon-sdk prefs.

        Attachment #8579905 -
        Flags: review?(gfritzsche)

    
    

    
  
Comment on attachment 8579905 [details] [diff] [review]
Changes to addon-sdk prefs

Review of attachment 8579905 [details] [diff] [review]:
-----------------------------------------------------------------

::: addon-sdk/source/python-lib/cuddlefish/prefs.py
@@ +59,5 @@
>      'browser.safebrowsing.updateURL': 'http://localhost/safebrowsing-dummy/update',
>      'browser.safebrowsing.gethashURL': 'http://localhost/safebrowsing-dummy/gethash',
>      'browser.safebrowsing.reportURL': 'http://localhost/safebrowsing-dummy/report',
>      'browser.safebrowsing.malware.reportURL': 'http://localhost/safebrowsing-dummy/malwarereport',
> +    'browser.selfsupport.url': 'https://localhost/repair-dummy',

Better naming please, selfsupport-dummy?

::: addon-sdk/source/test/preferences/no-connections.json
@@ +16,5 @@
>    "browser.safebrowsing.updateURL": "http://localhost/safebrowsing-dummy/update",
>    "browser.safebrowsing.gethashURL": "http://localhost/safebrowsing-dummy/gethash",
>    "browser.safebrowsing.reportURL": "http://localhost/safebrowsing-dummy/report",
>    "browser.safebrowsing.malware.reportURL": "http://localhost/safebrowsing-dummy/malwarereport",
> +  "browser.selfsupport.url": "https://localhost/repair-dummy",

Better naming please, selfsupport-dummy?

        Attachment #8579905 -
        Flags: review?(gfritzsche) → review+

    
    

    
  


  

        Attachment #8579905 -
        Attachment is obsolete: true

        Attachment #8579969 -
        Flags: review+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        bug141052.patchSplinter Review
      

    


  
Fixed the failing tests on try server and updated the commit message.

Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=757a43a50e6d

        Attachment #8575221 -
        Attachment is obsolete: true

        Attachment #8581478 -
        Flags: review+

    
    

    
  
talos is updated on inbound.  Please close this bug if there is nothing left to do.

    
    

    
  


  
and with the font taken care of we should be good!

        Attachment #8579312 -
        Attachment is obsolete: true

        Attachment #8591717 -
        Flags: review?(alessio.placitelli)

    
    

    
  
Comment on attachment 8591717 [details] [diff] [review]
changes to talos preference and font

Review of attachment 8591717 [details] [diff] [review]:
-----------------------------------------------------------------

::: talos/mtio-whitelist.json
@@ +38,5 @@
>   "{FONTS}\\RAAVI.TTF": {},
>   "{FONTS}\\SEGOEUI.TTF": {},
>   "{FONTS}\\SEGOEUIB.TTF": {},
>   "{FONTS}\\SEGOEUII.TTF": {},
> + "{fonts}\\segoeuil.ttf": {},

The other fonts are uppercase, while this is lowercase. Is it the same? Maybe we should keep the case to be consistent with the other entries. What do you think?

        Attachment #8591717 -
        Flags: review?(alessio.placitelli) → review+

    
    

    
  
I had to think about that for a moment, I will fix it to be uppercase and land it!

    
    

    
  
talos is live on trunk, feel free to close this out if needed.

    
    

    
  
Thanks :jmaher! I'm marking this as checkin-needed for the other patches (bug141052.patch and Changes to addon-sdk prefs v2).

Updated try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=e5cf29f62351
Keywords: checkin-needed

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/4ff9b0890ea7
https://hg.mozilla.org/mozilla-central/rev/cc0dc8a81bad
Status: ASSIGNED → RESOLVED
Closed: 9 years ago

          status-firefox40:
          --- → fixed
Resolution: --- → FIXED
Whiteboard: [fixed-in-fx-team]
Target Milestone: --- → Firefox 40

    
    

    
  
Commit pushed to master at https://github.com/mozilla/addon-sdk

https://github.com/mozilla/addon-sdk/commit/1ef9b052b5103cee7ca9e2a8459cff5f9479724d
Bug 1141052 - Change SelfSupport test preferences to use HTTPS instead of HTTP. r=gfritzsche

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: